I'm inclined to agree that Grav is a good choice, but it still has the exact same fault as other software out there, notably updates sometimes randomly breaking things in odd ways: https://blog.kronis.dev/everything%20is%20broken/grav-is-bro... (note: typically you shouldn't run software updates inside of containers due to their immutable nature and instead just run a newer version of the container, but if you're working with persistent volumes then there's also really nothing preventing you from doing so)

Of course, if you don't update it, you'll eventually run into security related issues, which is more or less inevitable whenever you expose anything with write access (even when it is technically protected by an username and password; our industry still keeps getting basic things wrong all the time), as opposed to fully static assets: https://blog.kronis.dev/everything%20is%20broken/grav-securi...

Personally, I will probably keep using Grav for the foreseeable future, maybe even some day carry over the theme customizations that I use as well as all of my content to a more recent version, but for now I'm stuck on a comparatively old version that's thankfully a bit locked down at the web server level. Don't get me the wrong way, WordPress will be even worse in regards to both updates and security, I've seen entire sites be brought down because of a single plugin needing an update that's no longer compatible with something else.